U.S. takes aim at cyber attacks from connected devices as recalls mount

SAN FRANCISCO (Reuters) - Obama administration officials sought on Monday to reassure the public that it was taking steps to counter new types of cyber attacks such as the one Friday that rendered Twitter, Spotify, Netflix and dozens of other major websites unavailable.

A padlock is displayed at the Alert Logic booth during the 2016 Black Hat cyber-security conference in Las Vegas, Nevada, U.S. August 3, 2016. REUTERS/David Becker

The Department of Homeland Security said it had held a conference call with 18 major communication service providers shortly after the attack began and was working to develop a new set of “strategic principles” for securing internet-connected devices.

DHS said its National Cybersecurity and Communications Integration Center was working with companies, law enforcement and researchers to cope with attacks made possible by the rapidly expanding number of smart gadgets that make up the “internet of Things.”

Such devices, including web-connected cameras, appliances and toys, have little in the way of security. More than a million of them have been commandeered by hackers, who can direct them to take down a target site by flooding it with junk traffic.

Several networks of compromised machines were directed to attack big customers of web infrastructure company Dyn last week, Dyn officials and security researchers said.

The disruption had subsided by late Friday night in America, and two of the manufacturers whose devices had been hijacked for the attack pledged Monday to try to fix them.

But security experts said that many of the devices would never be fixed and that the broader security threat posed by the internet of Things would get worse before it gets better.

“If you expect to fix all the internet devices that are out there, force better passwords, install some mechanism for doing updates and add some native security for the operating system, you are going to be working a long time,” said Ed Amoroso, founder of TAG Cyber and former chief security officer at AT&T.

Instead, Amoroso said he hoped that government officials would focus on recommending better software architecture and that business partners would insist on better standards.

In the meantime, fresh responses by two of the companies involved in the attacks illustrated the extent of the problem.

Chinese firm Hangzhou Xiongmai Technology Co Ltd, which makes components for surveillance cameras, said it would recall some products from the United States.

Another Chinese company, Dahua Technology, acknowledged that some of its older cameras and video recorders were vulnerable to attacks when users had not changed the default passwords. Like Xiongmai, it said it would offer firmware updates on its website to fix the problem and would give discounts to customers who wanted to exchange their gear.

But neither company has anything like a comprehensive list of their customers, many of whom will never learn of the problems, said Dale Drew, chief security officer with communications provider Level 3.

“I wouldn’t be surprised if the only way they are going to reach their consumers is through media reports, Drew said.

Reporting by Joseph Menn in San Francisco. Additonal reporting by Dustin Volz in Washington.; Editing by Jonathan Weber and Leslie Adler